Apple endorses federal privacy legislation at U.S. Senate hearing

In a U.S. Senate committee hearing Wednesday, Apple's vice president of software technology, Guy "Bud" Tribble, stated Apple's support for legislation, while agreeing that the Federal Trade Commission should hold regulatory authority.

At a hearing of the Senate Committee on Commerce, Science, and Transportation in Washington Wednesday, Tribble testified alongside representatives of Alphabet/Google, Amazon, Twitter, AT&T, and Charter Communications. Throughout, Tribble expressed support for the idea of privacy legislation itself, and gave either qualified or unqualified yesses to most proposals put forward by most Senators.

"I am honored to be with you for this important hearing and to convey Apple's support for comprehensive federal privacy legislation that reflects Apple's longheld view that privacy is a fundamental human right," Tribble said in his opening statement.

"To Apple, privacy means much more than having the right to not share your personal information. Privacy is about putting the user in control when it comes to that information," Tribble continued. "That means that users can decide whether to share personal information and with whom. It means that they understand how that information will be used. Ultimately, privacy is about living in a world where you can trust that your decisions about how your personal information is shared and used are being respected. We believe that privacy is a fundamental human right, which should be supported by both social norms and the law."

"These concepts have guided our design process for years because privacy is a core value at Apple, not an obligation or an aftermarket add-on," Tribble said.

Tribble also made a point of pushing for any new privacy legislation to not place undue burdens on app developers.

"We have an app store with 6 million developers in the U.S., some are small and medium-sized businesses, and [we hope that] the burden will not be on them as to record-keeping, to make sure it's not overburdensome for that class of companies," Tribble said in his testimony. He added that Apple had earlier worked with the Office of the National Coordinator for Health IT (ONC) to help create a "model privacy notice" for app developers in the health space who may not have access to a full legal team, and would interested in coming up with those sorts of solutions in the future.

Tribble agreed with most of the other executives present that the FTC should handle most enforcement for the new privacy regime.

"Apple agrees that the FTC should get the resources they need a part of comprehensive legislation," he said.

Mentioned throughout the hearing was that both the European Union that invoked the General Data Protection Regulation, and the state of California have both passed privacy laws, both of which some tech companies believe are too stringent. The executives discussed whether the federal law will preempt the local one, as well as what disclosures will be required for data sharing.

Broadcast on C-SPAN 3 and streaming online, the hearing was not what would be considered a high-profile proceeding. It was notably non-contentious, although some Republican senators, including Ted Cruz of Texas and Cory Gardner of Colorado, asked pointed questions about Google's China policy near the end of the hearing. Cruz also asked Google chief privacy officer Keith Enright whether Google is working to censor conservatives from search results.

Committee Chairman John Thune (R-S.D.) said at the end of the two-and-a-half-hour proceeding that it was likely the first of multiple "conversations going forward" as the committee works on legislation.

Comments

This is another example of Apple moving to where the puck will be, not where it is. I think Apple saw this privacy issue coming a long way off and decided to jump on board with both feet. Meanwhile, Google and Facebook’s business models are incompatible with privacy and data security. In both companies their users are the products they sell (to advertisers). When this all goes down, and it will eventually, Apple will be in a position to capitalize on it and come out smelling like a rose.

Isn't that cute. The troll wants to come out and play. What, exactly, does Elcomsoft have to do with privacy? And what does Facebook and Google vacuuming up mountains of data to monetize and make money have to do with Apple?Or were just sitting around waiting for some article you could spam your link to?

If you think this is only about storing data locally or not, you really need to learn more about what's at stake here.

And, btw, that tool you link to explicitly states that it needs your Apple ID and password in order to get at iCloud data. The only thing it can do without that is attempt to extract data from local backups.

This is another example of Apple moving to where the puck will be, not where it is. I think Apple saw this privacy issue coming a long way off and decided to jump on board with both feet. Meanwhile, Google and Facebook’s business models are incompatible with privacy and data security. In both companies their users are the products they sell (to advertisers). When this all goes down, and it will eventually, Apple will be in a position to capitalize on it and come out smelling like a rose.

I rather see this as an example of not understanding the federal government. What is very likely to happen is people within the FTC, the FBI, CIA and yes even congress, will see this as a way to promote their agendas and saddle these privacy protections with more holes than Swiss cheese. If anything Apple is being manipulated into a set of regulations that will do more to damage privacy than ensure it.

On the contrary, Google is asking for the same thing and in today's testimony highlighting some of the same privacy discussion points as Apple made. This is one those times when both are in agreement on the need for Federal legislation and FTC enforcement of user privacy regulations. In case you're wondering so is Amazon.

Facebook? Correct, they were not there and won't be testifying in this hearing.

If you think this is only about storing data locally or not, you really need to learn more about what's at stake here.

And, btw, that tool you link to explicitly states that it needs your Apple ID and password in order to get at iCloud data. The only thing it can do without that is attempt to extract data from local backups.

...indeed clarification would be helpful - does Apple or powers that be under the Patriot Act or if war is declared have access to iCloud data...?

I understand local storage has many concerns as well, yet the simple default to offload all data to a central target or 'resource' seems just bizarre logic to me...

Isn't that cute. The troll wants to come out and play. What, exactly, does Elcomsoft have to do with privacy? And what does Facebook and Google vacuuming up mountains of data to monetize and make money have to do with Apple?Or were just sitting around waiting for some article you could spam your link to?

Well no actually - I was hoping for meaningful responses, vs fanboys flaming the post - such hostility by those willing to promote letting 'Elvis leave the building'...?

I don't care what the policy, EULA or business interests are of Apple at the moment of the day (subject to change), yet more the general logic of so much existing in some foreign land server with the nature and stability of governance in place at the moment...

And the link - no I have no connection, although it surely was easy to find, and raised the question of security settings by default sending so much off site... They do in fact qualify the intent as not to hack, but for recovery, for those that want to rely on such...

...and I am a mac user, and only own mac hardware, just to set the flaming fanboys straight...

If you think this is only about storing data locally or not, you really need to learn more about what's at stake here.

And, btw, that tool you link to explicitly states that it needs your Apple ID and password in order to get at iCloud data. The only thing it can do without that is attempt to extract data from local backups.

...indeed clarification would be helpful - does Apple or powers that be under the Patriot Act or if war is declared have access to iCloud data...?

I understand local storage has many concerns as well, yet the simple default to offload all data to a central target or 'resource' seems just bizarre logic to me...

It's for simplicity and convenience. I have three Macs, an iPhone, an iPad, and an Apple Watch. It would be a nightmare trying to manually sync messages, mail, photos, contact information, music, passwords, etc between all those devices. iCloud solves that problem.

But this goes beyond just cloud storage. Personal information also extends to information about what I'm doing on my devices, the places I go with them, etc. Who is allowed what access to that information after its collected? And could such information be directly identified with myself or my devices? Apple's policy on such data collection is here: https://www.apple.com/privacy/approach-to-privacy/

If you think this is only about storing data locally or not, you really need to learn more about what's at stake here.

And, btw, that tool you link to explicitly states that it needs your Apple ID and password in order to get at iCloud data. The only thing it can do without that is attempt to extract data from local backups.

...indeed clarification would be helpful - does Apple or powers that be under the Patriot Act or if war is declared have access to iCloud data...?

I understand local storage has many concerns as well, yet the simple default to offload all data to a central target or 'resource' seems just bizarre logic to me...

It's for simplicity and convenience. I have three Macs, an iPhone, an iPad, and an Apple Watch. It would be a nightmare trying to manually sync messages, mail, photos, contact information, music, passwords, etc between all those devices. iCloud solves that problem.

But this goes beyond just cloud storage. Personal information also extends to information about what I'm doing on my devices, the places I go with them, etc. Who is allowed what access to that information after its collected? And could such information be directly identified with myself or my devices? Apple's policy on such data collection is here: https://www.apple.com/privacy/approach-to-privacy/

<...indeed clarification would be helpful - does Apple or powers that be under the Patriot Act or if war is declared have access to iCloud data...?</div>

No. It's encrypted, and Apple doesn't have a decryption key. Under the Patriot Act or the War Powers Act, authorities would get exactly what they get from Apple if they ask (legally) today: general metadata (such as "the person emailed/called/texted this person on this date at this time" but not the contents thereof).

It sounds like your concerns would be alleviated if you did a bit more reading on Apple's privacy policy and more about cloud technology generally. May I suggest you start with apple.com/privacy?

"No one else, not even Apple, can access end-to-end encrypted information"

If your device encrypts the information and then sends it to an iCloud server where it's stored in that exact same encrypted format, Apple cannot decrypt it. Apple does not have the private encryption key your device used to encrypt the data. Apple would only be able to decrypt the data if you sent it without encryption to the iCloud server where they used their own private encryption key to encrypt it before storing it.

There is one exception, however, noted on that page:

"Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple."

So iCloud Backups do include the encryption key used to encrypt your messages. Which, in turn, means that Apple would be able to decrypt those if requested to do so by law enforcement. So turn iCloud Backup off if you truly want to be sure Apple can't decrypt any of your data.

Now, as for what Apple does with iCloud in China, that's a different story. If/when a government mandates that a cloud service be able to decrypt all of the data stored on it, then special provisions need to be put in place to ensure that. But that's not the case in the US (yet).